Share via

Managing File Access in Azure File Sync with GPO Mapped Folders

Sajjad Raza 0 Reputation points
2025-07-30T23:32:34.2166667+00:00

Azure File Sync is set up with folders mapped via Group Policy Object (GPO).

How can read-only access be enforced for users editing the same file to prevent data loss? Is there a way to implement a check-in/check-out system or another method to manage file access effectively?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pranitha Maddi 5 Reputation points Microsoft External Staff Moderator
    2025-07-31T10:52:56.7966667+00:00

    Hi Sajjad Raza,

    Thanks for your question on the Microsoft Q&A portal!

    Azure File Sync does not support native check-in/check-out like SharePoint or document management systems. However, you can enforce read-only access and simulate controlled editing using a combination of:

    • NTFS permissions
    • Azure RBAC roles
    • File locking policies

    Here are a couple of strategies you might consider:

    Step 1: Use NTFS Permissions on the File Server

    On your on-prem Windows Server (synced via Azure File Sync):

    • Right-click the folder > Properties > Security tab
    • Remove “Modify” or “Write” permissions for users/groups
    • Grant only Read & Execute and List Folder Contents

    Reference Document: Configure directory and file level permissions for Azure Files | Microsoft Learn

    This ensures users can view but not edit files locally.

    Step 2: Use Azure RBAC for Cloud Access

    In Azure, assign users the Storage File Data SMB Share Reader role:

    • Go to the Storage Account > Access Control (IAM)
    • Add role assignment > Select this role > Choose users/groups

    This restricts users to read-only access over SMB from Azure.

    Reference Document: Assign share-level permissions for Azure Files | Microsoft Learn

    Step 3: Disable Offline Files

    If using Folder Redirection via GPO:

    • Disable Offline Files caching to prevent local edits
    • Use GPO: Computer Configuration > Administrative Templates > Network > Offline Files

    Reference Document: Disable Offline Files on individual redirected folders | Microsoft Learn

    This avoids sync conflicts and unintended edits.

    Step 4: Use SMB File Locking

    SMB (Server Message Block) protocol supports file locking, which prevents multiple users from making changes to the same file at the same time. Azure Files supports SMB file locking, which can be used to prevent data loss.

    Steps:

    Enable SMB File Locking:

    • SMB locking can be enabled on Azure Files for Windows and Linux clients. This allows the system to lock a file so that only one user can edit it at a time.
    • Users attempting to edit the file when it is locked will be notified that the file is in use.
    1. Configure File Locking on Azure File Shares:
      • To use file locking with Azure Files, ensure that your Azure File Share is using SMB 3.0 or later.
        • Configure SMB locking in your application or file management systems that access the Azure File Share.
    2. Monitor for Locked Files:
      • Set up alerts or monitoring tools to notify you if a file is locked or if there are attempts to access locked files, allowing you to prevent conflicts or data loss.

    Reference Document: Managing file locks (FileREST API) - Azure Files | Microsoft Learn

    Would you be open to sharing an update or letting me know if further clarification or assistance would be helpful?

    Please do not forget to "Accept the answer and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

    Thanks,

    Pranitha

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.